help understanding alarm for generic SQL injection in HTTP

Unanswered Question
Jan 16th, 2008

I don't quite get the regex in 5474-1 shown below. The '+' I think I get; if the data is a GET or a POST with enctype=application/x-www-form-urlencoded then spaces are encoded as +. But the regex also appears to be looking for a literal '%' and then '20'. Why for? If the request is "multipart/form-data" it will have a space character in the data (which has a hex value of \x20 but that's not what the regex is looking for).

([%]20|[=]|[+])

[Ss][Ee][Ll][Ee][Cc][Tt]

([%]20|[+])

[^\r\n\x00-\x19\x7F-\xFF]+

([%]20|[+])

[Ff][Rr][Oo][Mm]

([%]20|[+])

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mhellman Wed, 01/16/2008 - 15:25

hmmm...upon further thought, this would be required for detecting SQL injection via GET method. So, I guess my question now is, what about via POST with enctype="multipart/form-data"?

Actions

This Discussion